-
Notifications
You must be signed in to change notification settings - Fork 4
/
patch.py
79 lines (73 loc) · 11.9 KB
/
patch.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
from pwnlib.asm import asm
from internalblue import Address
from internalblue.adbcore import ADBCore
from struct import pack
import os
# setup ADB Core
internalblue = ADBCore(serial=True)
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
# connect internalblue to the device
if not internalblue.connect():
print("No connection to the device !")
exit(-1)
# Data / variables
print("Installing data / variables...")
internalblue.writeMem(0x00203124, bytes.fromhex('10022800'))
internalblue.writeMem(0x00210500, bytes.fromhex('00000000'))
internalblue.writeMem(0x00210504, bytes.fromhex('00000000'))
internalblue.writeMem(0x00210508, bytes.fromhex('00000000'))
internalblue.writeMem(0x0021050c, bytes.fromhex('00000000'))
internalblue.writeMem(0x00210510, bytes.fromhex('ff'))
internalblue.writeMem(0x00210514, bytes.fromhex('ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'))
internalblue.writeMem(0x0021053c, bytes.fromhex('ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'))
internalblue.writeMem(0x0021063b, bytes.fromhex('00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'))
internalblue.writeMem(0x00210670, bytes.fromhex('00000000'))
internalblue.writeMem(0x00210674, bytes.fromhex('00000000'))
internalblue.writeMem(0x00210678, bytes.fromhex('00000000'))
internalblue.writeMem(0x0021067c, bytes.fromhex('03f73a1b3970af339a03f73ab239702f3b9b0377aeb33970f73a9b0370afb339fc08c564c68f504c65fc08454dc68f50c464fc08514cc60f08c5647c8f504c46'))
internalblue.writeMem(0x002106c0, bytes.fromhex('00000000'))
internalblue.writeMem(0x002106c4, bytes.fromhex('00000000'))
internalblue.writeMem(0x002106c8, bytes.fromhex('00000000'))
internalblue.writeMem(0x002106cc, bytes.fromhex('526164696f53706c6f6974'))
# Functions and callbacks
print("Installing function and callbacks...")
internalblue.writeMem(0x00210700, bytes.fromhex('2de9f04fa54b1b68002b00f0e281a44b1b6803f48073002b00f0d881a14b1b68002b40f0d381ff2200219f48f0f5f4f8ff229e499c48f0f5cdf8984b1b68012b35d1994a9a499b4808f05af9984b1b68002b00f0b781964b1b683b2b00f2b281934b1b68dbb20433d8b2914b1b68dbb20233dbb21a46ff2158f6b3ff044604f10a03864a1268d2b21a7004f10b038a4a1268d2b21a7004f10c00854b1b681a468449f1f5e9ff204658f67cfe8ae17b4b1b68022b47d17c4a7d497e4808f020fc7b4b1b68dbb27d4a19467a4808f098fb0346002b00f07681754b1b68dab2774b1b78d31adbb20833d8b2714b1b68dab2724b1b78d31adbb20633dbb21a46ff2158f66fff044604f10a03644a1268d2b21a7004f10b03684a1268d2b21a7004f10c00664b1b78043b624a9918604b1b68624a12789b1a04331a46f1f59dff204658f630fe3ee1554b1b68032b22d15c4b1a465749574808f0d3fb0322ff21052058f63fff044604f10a034c4a1268d2b21a7004f10b03504a1268d2b21a7004f10c0301224b491846f1f576ff204658f609fe17e1414b1b68042b79d1424a4449444808f0adfb424b1b68dbb2434a1946404808f025fb0346002b00f003813f4b1b78043b3b4ad35c1a463e4b1b68dbb29a4240f0f780394b1b78033b354ad35c1a46384b1b681b0adbb29a4240f0ea80324b1b78023b2f4ad35c1a46314b1b681b0cdbb29a4240f0dd802c4b1b78013b284ad35c1a462b4b1b681b0e9a4240f0d180234b1b68dab2244b1b78d31adbb20833d8b21e4b1b68dab2204b1b78d31adbb20633dbb21a46ff2158f6cafe044604f10a03114a1268d2b21a7004f10b03154a1268d2b21a7004f10c00134b1b78043b104a99180e4b1b68104a12789b1a04331a46f1f5f8fe204658f68bfd99e0024b1b68052b55d100241fe000052100ac8b3100780621003c05210000243700700621003c06210004052100100521003d052100c0062100454b1b5d184608f017f903461a46424b1a550134c72cf3dd0722ff21092058f67cfe044604f10a033c4a1268d2b21a7004f10b033a4a1268d2b21a7004f10c05384b1b68dbb2184608f0f6f803462b7004f10d05334b1b681b0adbb2184608f0ebf803462b7004f10e0303222a491846f1f59efe204658f631fd3fe0274b1b68062b3bd1002409e0234b1b5d184608f0d3f803461a46204b1a550134c72cf3dd21491d4808f048fc03461a461f4b1a601e4b1b68dbb20433d8b21c4b1b68dbb20233dbb21a46ff2158f627fe044604f10a03124a1268d2b21a7004f10b03104a1268d2b21a7004f10c00104b1b681a460d49f1f55dfe204658f6f0fc0c4b01221a6002e00a4b00221a60bde8f04f2de9f0416bf6d9be00bf3c0521000005210004052100c80621003c0621007006210078062100'))
internalblue.writeMem(0x00210c00, bytes.fromhex('074b1b68002b03d1064b1b68002b01d0002301e0044b1b6860f6cebc00bf00bf000521000805210050312000'))
internalblue.writeMem(0x00210d00, bytes.fromhex('1a4b1b68002b2ad0184b1b68012b03d117487ff685b928e0144b1b68022b03d0124b1b68042b04d14ff033307ff678b91be00e4b1b68052b04d14ff0aa407ff66fb912e0094b1b68032b03d0074b1b68062b0ad1074800687ff662b905e010b108467ff65db97ff68db900bf0005210003f73a9bc0062100'))
internalblue.writeMem(0x00210e00, bytes.fromhex('0fb4094b1b68002b09d008480068084940f0800008600fbc69f6cfb902e00fbc69f6b9b900bf00bf0005210004052100a4863100'))
internalblue.writeMem(0x00210f00, bytes.fromhex('2de9f04f0746042283b0ff21062058f6e8fb634e3b7bdff890b1012bcbf80030814633467a7bdff8948106bf02eb8202343a023ac8f8002006f12804002203f8012f9c424ff00005f9d1564a0121422311725372202106231046d372157355739573d573157455749172019283f638f9dbf800309bb9dbf80030d8f80000522189f80d004846582289f80c3089f80a1089f80b2003b0bde8f04f58f683ba019a531e03f8015f9c424ff0000af9d10123137213739373d37341202021082350729172d37299211923364882f80da0117491745374d374019283f6a0f8019a06f801afb4424ff00005f9d101234220137213732021062350722a48d37255739573d57315745574917283f6eaf8dbf80030254e022b06d1ba7b2449521b18bf01220a60aae7032b1fd0042b32d0062ba2d11f4d052207f10e012846f1f59dfba87807f0defd0446687807f0dafd0304287843ea046407f0d4fd44f05504154a44ea00203368106088e7114c134d07f10e0104222046f1f580fb7023214605222846237108f03df8d5f805100a4a3368116073e7d7f80e000749044a086015606ce7130521001405210000052100c40621003c052100c00621003c06210004052100'))
internalblue.writeMem(0x00214400, bytes.fromhex('08480068002807d007487bf609fe0023064a136060f6cabc7bf630fe60f6c6bc00bf00000805210003f73a9ba5790200'))
internalblue.writeMem(0x00214500, bytes.fromhex('06480068002803d0054a126860f643bdd4f8882260f63fbd00bf0000080521000c052100'))
internalblue.writeMem(0x00214600, bytes.fromhex('80b588b000af78609e4b01221a607b680c331b78012b08d17b680d331b78184604f06ef903461a4604e07b680d331b78023b1a46944b1a607b680e331b781a46924b1a607b680c331b78012b40f08c800023fb6107e08e4afb69134400221a70fb690133fb61fb69032bf4dd7b6803f10f01864b1b681a468648eef57df80023bb6107e0844abb69134400221a70bb690133bb61bb69fe2bf4dd00237b615ce07b4a7b6913441b781b09fb72784a7b6913441b7803f00f03bb727b69db00ba7a764911f82210744ad1547b69db005a1cbb7a72499b000b4459786f4b99547b69db009a1cbb7a6d499b000b4499786a4b99547b69db00da1cbb7a68499b000b44d978654b99547b69db000433fa7a634911f82210604ad1547b69db005a1dfb7a5e499b000b4459785b4b99547b69db009a1dfb7a59499b000b449978564b99547b69db00da1dfb7a54499b000b44d978514b99547b6901337b614c4b1b681a1d7b699a429cd84ce07b680c331b78022b09d07b680c331b78032b04d07b680c331b78042b11d17b6803f10f013f4b1b681a463f48edf5f0ff3c4b1b68dbb21a463b493d4804f0acfc2be07b680c331b78052b04d07b680c331b78062b21d17b6803f10f01314b1b681a463148edf5d4ff00233b6110e02e4a3b6913441b78184604f00efa034619462b4a3b6913440a461a703b6901333b613a69244b1b689a42e9d3274b4ff4ba621a60264b05221a60254b10221a607b680c331b78012b0fd11a4b1b680433db001a461b491f48edf5a3ff1f4a154b1b680433db0013601de07b680c331b78042b0dd8104b1b685b001a4611491548edf58fff154a0b4b1b685b0013600ae0094b1b681a460a490f48edf582ff0e4b054a12681a600023fb6020e000bf080521000c052100700621003c062100400621003c0521007c062100382123004021230044212300c02e2300c0322300174afb68134400221a70fb680133fb60fb68272bf4dd124b01221a72104b39225a720f4b20229a720d4b0622da720c4b01221a730a4b01225a73094b00229a73074b0022da73064b00221a74044b00225a7403487ff6b6f900bf2037bd4680bd14052100'))
internalblue.writeMem(0x00214f00, bytes.fromhex('2de9ff4f214b1b68002b37d00422ff21062054f6e6fb0546002403e01c4b00221a550134272cf9dd194b01221a72184b3c225a72164b20229a72154b0122da72134b00221a7312487ef670fe0f4b00221a6005f10a0354221a7005f10b0358221a7005f10c0301221a7005f10d03094a1268d2b21a70284654f694fabde8ff4f23689a425cf654bf00bf00bf08052100140521000c052100'))
internalblue.writeMem(0x00218700, bytes.fromhex('2de9f041002600f1ff3c304601391cf8017f11f801ef07f07f08012200e00132c2f1080447fa04f34efa04f56b404eb1dc0700d50130082af1d10136042ee6d1bde8f081012af3d148fa04f46c40e307f0d4e4e7'))
internalblue.writeMem(0x00218800, bytes.fromhex('002912dd10b4002207e032b110f8013c047843ead41300f8013c037801325b00914200f8013bf0d110bc7047'))
internalblue.writeMem(0x00218900, bytes.fromhex('00eb800034387047'))
internalblue.writeMem(0x00218a00, bytes.fromhex('2de9f04f054683b001919346431e00f13101002203f8012f8b42fbd12b78cbf1010643f007032b7034495846fff768fe082814d90bf1ff3301210ae058781a78440042ead012ff291a705c70ecd001310133de42f2d15a7852005a70f7e700231e46012700930bf1ff3acbeb0704dff88c804ff0000941465846fff741fe082808f1040809d909f10109b9f1100ff2d1019b1e6003b0bde8f08f009b53b3ab5db90009fa01f21343ab5587f00103012f1f464ff0010308bf013600934ff0200c5346012001e001300133dc420ed059781a784fea410eff2842ead111197083f801e0f0d1bcf1010cead1c0e75a7852005a70e8e7b9f10a0fe0d1d0e77c062100'))
internalblue.writeMem(0x00218c00, bytes.fromhex('c109430141eac01103f04003c200194302f020024300114303f010034210194302f00802c3100a4303f004034011134300f002001843c0b2704700bf'))
internalblue.writeMem(0x00218d00, bytes.fromhex('1b68034a13605a0661f650b900bf0000c8062100'))
internalblue.writeMem(0x00218e00, bytes.fromhex('013910b44ff0000216d410f8014b082382ea042212f4004f4fea420418bf84f4815203f1ff3314bf82f00102520013f0ff03efd10139e8d590b210bc704700bf'))
internalblue.writeMem(0x00218f00, bytes.fromhex('2de9f0470026a1f1020eb645167047dd8046074630460139dff88c9008eb010cf044c6eb0e05013dba464ff0000116d41af8014b082381ea042111f4004f4fea410418bf84f4815103f1ff3314bf81f00101490013f0ff03efd1013de8d59cf8004098f8003089b243ea0423994213d0d9f80030012b06d00136764507f10107cfdbbde8f08739781129f5d17978222904bf18461670efe716700120bde8f0873046bde8f08700bfc4062100'))
internalblue.writeMem(0x00219000, bytes.fromhex('f8b504460d461746002601e0322e31d0b95dbb19c8108a105b7800f0080002f00402024301f001004910024301f00201580011434fea830e20f07f0008430ef0400eda0040ea0e0002f020021b0103f0100310431843c0b2fff7d2fd80f05a00c0b2c6f34603a52806f10206e054cdd12b60f8bd19232b60f8bd00bf'))
internalblue.writeMem(0x00219100, bytes.fromhex('002a56d02de9f041074601f1ff3800eb420618f8010f023780f05a00fff770fd044645b205f00400a101e310621040eac41001f0400103f0010e0843510140ea0e0001f020011201014302f0100260000a435b0000f0080003f0020310431843c0b2fff74dfd05f02003c4f3c71522112b4343eac213920143ea450502f040026308a411154303f01002e300154303f00803a4001d4304f004042c4307f8020ce0b2fff72dfd07f8010cbe42b1d1bde8f0817047'))
internalblue.writeMem(0x00219200, bytes.fromhex('2de9f0411d4b1b6813f0ff072ad0c3f30728b8f1000f25d0c3f3074cbcf1000f20d0a1f1030e4feace0ebef1000fc8bf002617dd81b10346002406e013f8012c1d7842ead51203f8012c1a78013452008c4203f8012bf1d18378bb4205d001367645e7d10020bde8f081c3784345f6d103796345f3d10120bde8f081c0062100'))
internalblue.writeMem(0x00219300, bytes.fromhex('30b4044600788008431e1c2b0bd80d1814f8012fd30943ea420301f8013b8d42f6d130bc7047002030bc7047'))
# Hooks
print("Installing Hooks...")
internalblue.patchRom(0x000715b4, bytes.fromhex('9ff124bb'))
internalblue.patchRom(0x00071e2c, bytes.fromhex('a3f168b8'))
internalblue.patchRom(0x00074da8, bytes.fromhex('9ff12abb'))
internalblue.patchRom(0x00074f92, bytes.fromhex('9ff1b5ba'))
internalblue.patchRom(0x00079fa8, bytes.fromhex('9ef1aabe'))
internalblue.patchRom(0x0007a192, bytes.fromhex('96f135be'))
internalblue.patchRom(0x0007c88c, bytes.fromhex('93f138bf'))
internalblue.patchRom(0x0009002e, bytes.fromhex('2022fff7'))
internalblue.patchRom(0x0009007c, bytes.fromhex('80f140be'))
internalblue.patchRom(0x000f2398, bytes.fromhex('010f2100'))
internalblue.patchRom(0x000f239c, bytes.fromhex('00000800'))
internalblue.patchRom(0x000f23a0, bytes.fromhex('01462100'))
internalblue.patchRom(0x000f23a4, bytes.fromhex('00000800'))
print("Terminated :)")
# shutdown connection
internalblue.shutdown()
os._exit(0)